Martin Norland wrote:
Jochem Maas wrote:

Yemi Obembe wrote:

the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works fine....but the insert doesnt. know why?
if ($v = strtolower($_POST['email'])) {

what happens when $_POST['email'] is equal to

document.location = ""+document.cookie;

or something like that? Just something to think about.

Then the malicious user gets to send their own cookies for this site to another site of their choosing :P. I would be more worried about it being equal to things like:

"Spam my Enemy <[EMAIL PROTECTED]>"
+ "Spam my Enemy also <[EMAIL PROTECTED]>"
+ etc.
"\r\nFrom: Idiots Inc. <[EMAIL PROTECTED]>"
"'; Delete from arbitrary_table_name where 'yes'='yes"

ah yes - that would an effective attack in/on an email ;-)

All of which are easily prevented with some attention to detail. (or in some cases newer versions of software, which explicitly allow only one statement per call). Finally - the concept of bind variables (or equivalent) are your friend (as Jochem already knows with firebird iirc).

yes indeed! praise to the guy who wrote the new firebird extension :-), savin' my ass on a daily basis :-)


-- PHP Database Mailing List ( To unsubscribe, visit:

Reply via email to